From patchwork Wed Sep 17 06:33:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Steiger X-Patchwork-Id: 4356 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 17 Sep 2025 08:34:03 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f62.google.com (mail-lf1-f62.google.com [209.85.167.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 58H6Y2VY022853 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 08:34:03 +0200 Received: by mail-lf1-f62.google.com with SMTP id 2adb3069b0e04-577318aa26csf343992e87.0 for ; Tue, 16 Sep 2025 23:34:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1758090837; cv=pass; d=google.com; s=arc-20240605; b=ai/qqIcpsOyoQFex7fHMpc9QyoXBKllkKwUJ9DYPbMwdJMXtnZ3srfXyro/Ii2N77A aFitQvNCuAhkZFC2DiO+95UrRtrP8auW3/bqgwhYf756+NVUebgvrUWaF7RC6Bijqu8A 5wEG+xGGhRhz4J1wRaTEwbCvWbIp/16tYoRHJuVbP1GBG/5SdZuWYDJ0UCsotO5drSN4 5YsXuT7cOb05WwPF8QAKg150JClIxvffiUn7ERni4LT+T9AbzE2iVFthRtf5GFzN4LRc 8geOTEHQSLkIMNJ9PnkQiqvhERNnHAdP5EGELnveCvA7RrSg6fda026qu+ip73I3izpR NmMw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; fh=u5VBtCAodGuxLy+iPVTWxfIx1jTUYozapcpwsE9ZKgI=; b=kWpwjv22HKTIBcGqeisl5Dmp+9d8VZD6/3iQfLGygfGOUe8rXUR+AtVWzuJZDUkGdY 10YsLGtMv1n2z4sDSZ6/Erpz5Eon2ZUybNxttNCsLyfdI/T2U7yqm6EnE3+PCWq65gT8 sLTaafE5KW46PIF0FSAgEbHM5eKxoj2VjIPzf6Cgo5n9tvMyEKpZcEM0OlPTujtQz7HD 5rLQ+c1nYa2w2dW3tzgOPtVWHjcXMuY3mn/AVwbmfU98rFHdyvnrwsN8x45AvElb+BJw GO3tiI+L4+G5sMqC/nTVtmkd7R61LL19u9e7FwRV6W9Ev9NaK7g+B0Q2AS3kuee0NKxQ Mi5g==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1758090837; x=1758695637; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; b=AF2ICB5SmcEybF99SPWJcZjFYoDsnSxgemKq1qpyMOniMga5PKTUe/HAp0aLJQSt9r gcPuO9AUQnGJs+t9epyZZYfTf06A9L9n6lWGi36p49W6duQvn5q/1V2yAKmrF/lkZD+m UeDoNVmMhrsXZXCpJcXmSGd7+AQAFL+JmOyaIBiDKueXGFA2FV8HHgvijXiNT/sBI1tY zKZGqN3Ww8Ib4mRMHKteJWTONGOeCKp2rH+cHQDtkhaMBKoBrqtJbwpq8VEjdTAzvIFW fpqA+IQefVDy8WHkDaoV/qGg59ANOLLgdVLwvHfGlRqYLDdwv7o4ZlfZb1X+TWEJYPH1 3ijg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758090837; x=1758695637; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5qGUmNggy+e8ugGfaUggVUzgPjB6TkAAHr/ETqb7j5U=; b=RGRJUA3zeI33p209PNLj/J1k4mu2aw1zSxXRwz6iA7hZPLqDWbgpPqSMxGhHOS/mFk Ef0C7z7YDFaxBKgdRlcHL/bU3CKDOw4TQSDFJTTBQUPKIoI4nc92gp0eShB2ghyMW5BD CroomZYz83/c9gLS2MxXiNflWDR4NwL8muzMxNfYpUtlS7A0bffVIlaMlSafSIhGm1od oDStQNEav0dNtJLqRZ/TgkNBpXNmhdMaJyEdsQHqCSEOZaHC+u9SYdTWgVr437QI0TTh Bdc6AhT6Do66NEocWg/OZLJ0sBqBgYa3zIjd6McdIeBgOXsHNJfGPnAfSvP/yP8ssD26 Dsyg== X-Forwarded-Encrypted: i=2; AJvYcCUjh7NjqGRkq1PdHYzuJ0BSy5r9zR9/rkRgvjbPLmi8hjwDN+SXkGjBgOatvl0I2lGZkLWG9Wc=@isar-build.org X-Gm-Message-State: AOJu0YyhItcLL5syR/3MIX5LssU6cLynhWZOTlDye9109da2eL16iijP Ir1l45y4I3o+ka8MHZWQ6OkVPBvi3Lyxo8cNtZPoWOZMpdNUfChejmZX X-Google-Smtp-Source: AGHT+IFKPtVz9614NZRktvLIPc+w7Mo3ufnWkx0TX6FhlVtiuidmt/XwwZl7NFMamzL5fPeM7v+Cww== X-Received: by 2002:a05:6512:2c88:b0:568:993c:f047 with SMTP id 2adb3069b0e04-5779af10806mr337921e87.42.1758090837019; Tue, 16 Sep 2025 23:33:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=ARHlJd6+qSZa5sNoiQAJehWwVe+fIn0R+mEkg4T9z4VFoSkaFg== Received: by 2002:a05:6512:4489:b0:55f:4af2:a564 with SMTP id 2adb3069b0e04-57334fda945ls984058e87.0.-pod-prod-03-eu; Tue, 16 Sep 2025 23:33:53 -0700 (PDT) X-Received: by 2002:a05:6512:3e0f:b0:55f:3faa:7c21 with SMTP id 2adb3069b0e04-5779a66047emr362621e87.34.1758090833639; Tue, 16 Sep 2025 23:33:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758090833; cv=none; d=google.com; s=arc-20240605; b=k7TWRelL3wHBUvcIBKf3tZWZr7tBxkrFsw60ABF4w1a/jZrLIxL+Do5POCCwQsshpz wkb/WpsdiEMEoIWVc1RR2NSoLM9lH5lKcT17426VAS01u/8dfwfQ3Goi8ltr1URIKs9E 9AkcbpcsQJA0BLwm+6pSzEQdIJ1SqyvXsWuVmSJesUq4C08Rp15gQtAvwozk677QKHXb toCCGcZw4YhhxieZljza806qmFKoYDjSpDuzdt/fNPGPyVa/WIAdot+cQuUvcC647mWv 47FOKaUIKNroA18cQtWpe13HnYzjRDt8YYyyNNi5YYTwGocbDNb78ft+c10PV6nOIprN do6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=mzKHdm5pAjgQwPbzR7IU2+XYO3RNZYtOw1r/Vv/1Al8=; fh=eiYcjuc0Ff+maEd84O/+qg+73FB83bid0hUx0HldS7s=; b=OK6IiqT0wx38FiEjZZGySk9V95a/bJsQnVfAHdjfh/IvjOpsthCoBN5LO+JgVpL+pc b32rkR630KSlbxelYPkxDA5uSO9G1J/uzwhVA+0frQzaUYDN/e+shKi3LcRByaw3TrGr EFtl5Jk55UWQJLrmGTeP3K+X4uAXMzDyBRb6uJhWcIs6ivJYJIOpQ38wcuQatFG1+KJi 1Fz+lznp3QN4t9IMYW9T9tp+DR6KgZcG69yL1owHZjVIcAn0267f0GSlRTBrOZaQeYZo h4jEuG5P5YdjlaUo9uJafytJcpkN+cVNMp0RyyZpkh8M8FoA6ljcqgfCKCCrnmwaFIll un8A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net. [185.136.65.225]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-57076e57aabsi226652e87.1.2025.09.16.23.33.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Sep 2025 23:33:53 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) client-ip=185.136.65.225; Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202509170633527fd5d4d5120002074f for ; Wed, 17 Sep 2025 08:33:52 +0200 X-Patchwork-Original-From: "'Christoph Steiger' via isar-users" From: Christoph Steiger To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, felix.moessbauer@siemens.com, gernot.hillier@siemens.com, cedric.hombourger@siemens.com, Christoph Steiger Subject: [PATCH v2 3/4] meta: add SBOM generation with debsbom Date: Wed, 17 Sep 2025 08:33:13 +0200 Message-Id: <20250917063314.44769-3-christoph.steiger@siemens.com> In-Reply-To: <20250917063314.44769-1-christoph.steiger@siemens.com> References: <20250917063314.44769-1-christoph.steiger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1328957:519-21489:flowmailer X-Original-Sender: christoph.steiger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=dX4cQ7J5; spf=pass (google.com: domain of fm-1328957-202509170633527fd5d4d5120002074f-rwcwd6@rts-flowmailer.siemens.com designates 185.136.65.225 as permitted sender) smtp.mailfrom=fm-1328957-202509170633527fd5d4d5120002074f-RWcwD6@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Christoph Steiger Reply-To: Christoph Steiger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Generate SBOMs for every rootfs that is created. These SBOMs are placed in the image deploy directory. For the generation a small chroot with debsbom installed is created and from that the rootfs of the image is scanned. The sbom generation is bound to the rootfs feature `generate-sbom` which is activated per default now. Signed-off-by: Christoph Steiger Signed-off-by: Felix Moessbauer --- meta/classes/image.bbclass | 8 ++- meta/classes/rootfs.bbclass | 7 ++- meta/classes/sbom.bbclass | 62 +++++++++++++++++++ meta/classes/sdk.bbclass | 2 +- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ 5 files changed, 106 insertions(+), 3 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index bd1b8552..220f5aa3 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -66,7 +66,13 @@ inherit multiarch inherit essential ROOTFSDIR = "${IMAGE_ROOTFS}" -ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache" +ROOTFS_FEATURES += "clean-package-cache clean-pycache generate-manifest export-dpkg-status clean-log-files clean-debconf-cache generate-sbom" +# only supported from bookworm / jammy on +ROOTFS_FEATURES:remove:buster = "generate-sbom" +ROOTFS_FEATURES:remove:bullseye = "generate-sbom" +ROOTFS_FEATURES:remove:jammy = "generate-sbom" +ROOTFS_FEATURES:remove:focal = "generate-sbom" + # when using a custom initrd, do not generate one as part of the image rootfs ROOTFS_FEATURES += "${@ '' if d.getVar('INITRD_IMAGE') == '' else 'no-generate-initrd'}" ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${@isar_multiarch_packages('IMAGE_INSTALL', d)}" diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 7b7859b9..98f5b24c 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -3,6 +3,8 @@ inherit deb-dl-dir +inherit sbom + ROOTFS_ARCH ?= "${DISTRO_ARCH}" ROOTFS_DISTRO ?= "${DISTRO}" ROOTFS_PACKAGES ?= "" @@ -350,6 +352,9 @@ cache_dbg_pkgs() { fi } +# The sbom generator needs the apt-cache, hence run before cleaning it +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'do_generate_sbom', '', d)}" + ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'clean-package-cache', 'rootfs_postprocess_clean_package_cache', '', d)}" rootfs_postprocess_clean_package_cache() { sudo -E chroot '${ROOTFSDIR}' \ @@ -512,7 +517,7 @@ python do_rootfs() { } addtask rootfs before do_build -do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_rootfs_postprocess[depends] = "base-apt:do_cache isar-apt:do_cache_config ${@bb.utils.contains('ROOTFS_FEATURES', 'generate-sbom', 'sbom-chroot:do_sbomchroot_deploy', '', d)}" SSTATETASKS += "do_rootfs_install" SSTATECREATEFUNCS += "rootfs_install_sstate_prepare" diff --git a/meta/classes/sbom.bbclass b/meta/classes/sbom.bbclass new file mode 100644 index 00000000..60c89877 --- /dev/null +++ b/meta/classes/sbom.bbclass @@ -0,0 +1,62 @@ +# This software is a part of ISAR. +# Copyright (C) 2025 Siemens +# +# SPDX-License-Identifier: MIT + +# sbom type to generate, accepted are "cdx" or "spdx" +SBOM_TYPES ?= "spdx cdx" + +SBOM_DEBSBOM_TYPE_ARGS = "${@"-t " + " -t ".join(d.getVar("SBOM_TYPES").split())}" + +# general user variables +SBOM_DISTRO_SUPPLIER ?= "ISAR" +SBOM_DISTRO_NAME ?= "ISAR-Debian-GNU-Linux" +SBOM_DISTRO_VERSION ?= "1" +SBOM_DISTRO_SUMMARY ?= "Linux distribution built with ISAR" +SBOM_BASE_DISTRO_VENDOR ??= "debian" +SBOM_DOCUMENT_UUID ?= "" + +# SPDX specific user variables +SBOM_SPDX_NAMESPACE_PREFIX ?= "https://spdx.org/spdxdocs" + +DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}" + +SBOM_DIR = "${DEPLOY_DIR}/sbom" +SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot" + +# adapted from the isar-cip-core image_uuid.bbclass +def generate_document_uuid(d): + import uuid + + base_hash = d.getVar("BB_TASKHASH") + if base_hash is None: + bb.warn("no BB_TASKHASH available, SBOM UUID is not reproducible") + return uuid.uuid4() + return str(uuid.UUID(base_hash[:32], version=4)) + +def sbom_doc_uuid(d): + if not d.getVar("SBOM_DOCUMENT_UUID"): + d.setVar("SBOM_DOCUMENT_UUID", generate_document_uuid(d)) + +generate_sbom() { + sudo mkdir -p ${SBOM_CHROOT}/mnt/rootfs ${SBOM_CHROOT}/mnt/deploy-dir + + TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH}) + bwrap \ + --unshare-user \ + --unshare-pid \ + --bind ${SBOM_CHROOT} / \ + --bind ${ROOTFSDIR} /mnt/rootfs \ + --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \ + -- debsbom generate ${SBOM_DEBSBOM_TYPE_ARGS} -r /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \ + --distro-name '${SBOM_DISTRO_NAME}' --distro-supplier '${SBOM_DISTRO_SUPPLIER}' \ + --distro-version '${SBOM_DISTRO_VERSION}' --base-distro-vendor '${SBOM_BASE_DISTRO_VENDOR}' \ + --cdx-serialnumber '${SBOM_DOCUMENT_UUID}' \ + --spdx-namespace '${SBOM_SPDX_NAMESPACE_PREFIX}'-'${SBOM_DOCUMENT_UUID}' \ + --timestamp $TIMESTAMP +} + +python do_generate_sbom() { + sbom_doc_uuid(d) + bb.build.exec_func("generate_sbom", d) +} diff --git a/meta/classes/sdk.bbclass b/meta/classes/sdk.bbclass index 46436d97..644b0623 100644 --- a/meta/classes/sdk.bbclass +++ b/meta/classes/sdk.bbclass @@ -55,7 +55,7 @@ def get_rootfs_distro(d): ROOTFS_ARCH:class-sdk = "${HOST_ARCH}" ROOTFS_DISTRO:class-sdk = "${@get_rootfs_distro(d)}" ROOTFS_PACKAGES:class-sdk = "sdk-files ${SDK_TOOLCHAIN} ${SDK_PREINSTALL} ${@isar_multiarch_packages('SDK_INSTALL', d)}" -ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status" +ROOTFS_FEATURES:append:class-sdk = " clean-package-cache generate-manifest export-dpkg-status generate-sbom" ROOTFS_MANIFEST_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" ROOTFS_DPKGSTATUS_DEPLOY_DIR:class-sdk = "${DEPLOY_DIR_SDKCHROOT}" diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb new file mode 100644 index 00000000..a9afcbbe --- /dev/null +++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb @@ -0,0 +1,30 @@ +# This software is a part of ISAR. +# +# Copyright (C) 2025 Siemens + +LICENSE = "gpl-2.0" +LIC_FILES_CHKSUM = "file://${LAYERDIR_core}/licenses/COPYING.GPLv2;md5=751419260aa954499f7abaabaa882bbe" + +PV = "1.0" + +inherit rootfs + +ROOTFS_ARCH = "${HOST_ARCH}" +ROOTFS_DISTRO = "${HOST_DISTRO}" +ROOTFS_BASE_DISTRO = "${HOST_BASE_DISTRO}" + +ROOTFS_FEATURES = "no-generate-initrd" + +# additional packages for the SBOM chroot +SBOM_IMAGE_INSTALL = "python3-debsbom" + +DEPENDS = "python3-debsbom" + +ROOTFSDIR = "${WORKDIR}/rootfs" +ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}" + +do_sbomchroot_deploy[dirs] = "${SBOM_DIR}" +do_sbomchroot_deploy() { + ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}" +} +addtask do_sbomchroot_deploy before do_build after do_rootfs